V1 body limit

This pr addresses #941, it implements a body size limit layer to reject v1 request whose body
is greater than 7168 byts. The handler for direct v1 sender request has no size check
and calls body.collect() irrespective of payload size. The limiter prevents this behaviour.

the direct v1 call was also extracted into its own router.

Author: zealsham

payjoin-mailroom/src/directory.rs

@@ -18,7 +18,7 @@ const CHACHA20_POLY1305_NONCE_LEN: usize = 32; // chacha20poly1305 n_k
 const POLY1305_TAG_SIZE: usize = 16;
 pub const BHTTP_REQ_BYTES: usize =
     ENCAPSULATED_MESSAGE_BYTES - (CHACHA20_POLY1305_NONCE_LEN + POLY1305_TAG_SIZE);
-const V1_MAX_BUFFER_SIZE: usize = 65536;
+pub(crate) const V1_MAX_BUFFER_SIZE: usize = 7168;
 
 const V1_REJECT_RES_JSON: &str =
     r#"{{"errorCode": "original-psbt-rejected ", "message": "Body is not a string"}}"#;

payjoin-mailroom/src/lib.rs

@@ -13,6 +13,7 @@ use tokio_listener::{Listener, SystemOptions, UserOptions};
 use tower::{Service, ServiceBuilder};
 use tracing::info;
 
+use crate::directory::V1_MAX_BUFFER_SIZE;
 use crate::ohttp_relay::SentinelTag;
 
 #[cfg(feature = "access-control")]
@@ -354,8 +355,12 @@ fn build_app(services: Services) -> Router {
     #[cfg(feature = "access-control")]
     let geoip = services.geoip.clone();
 
+    let v1_method_router = axum::routing::post(v1_post_handler).fallback(route_request);
+    let v1_router = Router::new().route("/{id}", v1_method_router);
+
     #[allow(unused_mut)]
     let mut router = Router::new()
+        .merge(v1_router)
         .fallback(route_request)
         .layer(
             ServiceBuilder::new()
@@ -374,6 +379,19 @@ fn build_app(services: Services) -> Router {
     router
 }
 
+async fn v1_post_handler(
+    State(mut services): State<Services>,
+    req: axum::extract::Request,
+) -> Response {
+    let (parts, body) = req.into_parts();
+    let limited = http_body_util::Limited::new(body, V1_MAX_BUFFER_SIZE);
+    let req = axum::http::Request::from_parts(parts, axum::body::Body::new(limited));
+    match services.directory.call(req).await {
+        Ok(res) => res.into_response(),
+        Err(e) => (axum::http::StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(),
+    }
+}
+
 async fn route_request(
     State(mut services): State<Services>,
     req: axum::extract::Request,
@@ -565,4 +583,45 @@ mod tests {
         assert!(metric_names.contains(&TOTAL_CONNECTIONS), "missing total_connections");
         assert!(metric_names.contains(&ACTIVE_CONNECTIONS), "missing active_connections");
     }
+
+    #[tokio::test]
+    async fn v1_post_rejects_oversized_body() {
+        use axum::body::Body;
+        use axum::http::Request;
+        use payjoin::directory::ShortId;
+        use tower::ServiceExt;
+
+        let tempdir = tempdir().unwrap();
+        let config = Config::new(
+            "[::]:0".parse().expect("valid listener address"),
+            tempdir.path().to_path_buf(),
+            Duration::from_secs(2),
+            Some(crate::config::V1Config::default()),
+        );
+
+        let sentinel_tag = generate_sentinel_tag();
+        let services = Services {
+            directory: init_directory(&config, sentinel_tag).await.unwrap(),
+            relay: crate::ohttp_relay::Service::new(sentinel_tag).await,
+            metrics: MetricsService::new(None),
+            #[cfg(feature = "access-control")]
+            geoip: None,
+        };
+
+        let app = build_app(services);
+
+        let id = ShortId([0u8; 8]).to_string();
+        let oversized = vec![b'a'; V1_MAX_BUFFER_SIZE + 1];
+        let request = Request::builder()
+            .method("POST")
+            .uri(format!("/{id}"))
+            .body(Body::from(oversized))
+            .unwrap();
+        let response = ServiceExt::<Request<Body>>::oneshot(app, request).await.unwrap();
+        assert_eq!(
+            response.status(),
+            axum::http::StatusCode::BAD_REQUEST,
+            "oversized v1 POST body should be rejected"
+        );
+    }
 }